Make sure "XXX" is properly sanitized for constants

428 views
Skip to first unread message

Brian Sperlongano

unread,
Oct 27, 2015, 3:51:23 PM10/27/15
to SonarQube
I have a number of critical findings in the form:

Make sure "XXXX" is properly sanitized before use in the OS command.

Where XXXX is a public static final String.

This finding occurs whenever I use  new ProcessBuilder(XXXX, ... )

This finding makes sense when arbitrary variable are passed into ProcessBuilder but don't make sense when constants are used.  Would it make sense to suppress this finding for static final types?

Massimo Paladin

unread,
Oct 28, 2015, 3:51:05 AM10/28/15
to Brian Sperlongano, SonarQube
Hello,

could you please provide a reproducer?
What version of the java plugin are you using?

Cheers,


Massimo PALADIN | SonarSource
Software Developer @ Language Team
http://sonarsource.com

--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/559317bd-3c4d-417e-bab8-b8477847d69c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Brian Sperlongano

unread,
Nov 2, 2015, 3:41:16 PM11/2/15
to SonarQube, zelon...@gmail.com
Here is a simple example I've composed that causes the finding for me.  It's a simple program that prints to the console the contents of the root directory.  It appears that the problem I'm seeing occurs when String constants are defined in a different class. 

private class Commands
{
  public static final String LS = "ls";
  public static final String ROOT = "/";
}

public static void main(String... args) throws Exception
{
  ProcessBuilder b = new ProcessBuilder(Commands.LS, Commands.ROOT); //Finding on this line
  Process p = b.start();
  new BufferedReader(new InputStreamReader(p.getInputStream())).lines().forEach(System.out::println);

Brian Sperlongano

unread,
Nov 2, 2015, 3:44:16 PM11/2/15
to SonarQube, zelon...@gmail.com
Forgot to add - I'm using SonarQube 5.1.1 with the Sonar Java plugin version 3.6


On Wednesday, October 28, 2015 at 3:51:05 AM UTC-4, Massimo Paladin wrote:

Brian Sperlongano

unread,
Dec 2, 2015, 10:06:45 AM12/2/15
to SonarQube, zelon...@gmail.com
Just bumping this thread to make sure it's seen -- false positive with reproducer.

Massimo Paladin

unread,
Dec 7, 2015, 10:19:58 AM12/7/15
to Brian Sperlongano, SonarQube
Hi,

sorry for the delay, thank you for your reproducer, I created a ticket to fix the issue:

Cheers,

Massimo PALADIN | SonarSource
Software Developer @ Language Team
http://sonarsource.com

To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/fd7386c7-b60d-4de7-8d91-f415218b58b8%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages